Mozilla Corporation just released Firefox 2.0.0.10 which includes fixes against JAR uri attacks. This issue affected browsers that used Gecko engine, a quick check showed me that only K-meleon browser was also updated, however there are several Gecko based web browsers that need to get fixed: Gecko-based browsers.

Update: Let’s make that, Firefox 2.0.0.11, which also fixes some regressions.

According to pdp, this issue makes vulnerable to Cross-site scripting applications that allow users uploading compressed ZIP, and JAR files. After a couple of minutes messing around the poc’s, I figured out that sites with open redirect issues are vulnerable too. I’ve created this poc that attacks Gmail, it’s based on my previous post and it will only show your contacts list, it’s not being logged server side or anything (as some people thought that my previous poc did. Credit to tx for discovering the open redirect issue used to exploit Google / Firefox):

Update: NoScript released stable version with Jar protection. A new bugzilla (#403331) entry was created to fix the inappropiate redirect on jar protocol, according to the lastest comments and bug keyword, there seems to be a patch and will be availible with Firefox 2.0.0.10.